diff options
author | Thomas Gerbet | 2020-05-10 22:41:21 +0200 |
---|---|---|
committer | Thomas Gerbet | 2020-05-10 22:41:21 +0200 |
commit | d563baebdcd92c7ccc1026765b0cb8b2673091e3 (patch) | |
tree | a69d27aeab9a1e35efc39e5adaf4011203153ef7 | |
parent | b06c80be4cdff3654ef9ea2c042604318f1d047d (diff) | |
download | aur-d563baebdcd92c7ccc1026765b0cb8b2673091e3.tar.gz |
Make systemd-analyze security happy
-rw-r--r-- | .SRCINFO | 4 | ||||
-rw-r--r-- | PKGBUILD | 4 | ||||
-rw-r--r-- | yubikey-agent.service | 24 |
3 files changed, 27 insertions, 5 deletions
@@ -1,7 +1,7 @@ pkgbase = yubikey-agent pkgdesc = A seamless ssh-agent for YubiKeys pkgver = 0.1.1 - pkgrel = 1 + pkgrel = 2 url = https://filippo.io/yubikey-agent arch = x86_64 license = BSD @@ -10,7 +10,7 @@ pkgbase = yubikey-agent source = https://github.com/FiloSottile/yubikey-agent/archive/v0.1.1.tar.gz source = yubikey-agent.service sha256sums = ba105395ec8321512742f69ce9cf7fc2fe4e107cf667c2b48d13749efff23d5c - sha256sums = 29de8c4a3825f17919154fcc775a4c9da1e42569e8aee5b5e5b5150f25d2810f + sha256sums = f50e0876cb6d13d7cbbb325053f3c6702aabc16948e266cc7c92a0ffc9ace0b9 pkgname = yubikey-agent @@ -6,7 +6,7 @@ pkgname=yubikey-agent pkgver=0.1.1 -pkgrel=1 +pkgrel=2 pkgdesc='A seamless ssh-agent for YubiKeys' arch=('x86_64') url="https://filippo.io/yubikey-agent" @@ -19,7 +19,7 @@ source=( ) sha256sums=( 'ba105395ec8321512742f69ce9cf7fc2fe4e107cf667c2b48d13749efff23d5c' - '29de8c4a3825f17919154fcc775a4c9da1e42569e8aee5b5e5b5150f25d2810f' + 'f50e0876cb6d13d7cbbb325053f3c6702aabc16948e266cc7c92a0ffc9ace0b9' ) build() { diff --git a/yubikey-agent.service b/yubikey-agent.service index be8b2a970977..95f6d8c1cdde 100644 --- a/yubikey-agent.service +++ b/yubikey-agent.service @@ -6,7 +6,29 @@ Documentation=https://filippo.io/yubikey-agent ExecStart=/usr/bin/yubikey-agent -l %t/yubikey-agent/yubikey-agent.sock ExecReload=/bin/kill -HUP $MAINPID ProtectSystem=strict -NoNewPrivileges=true +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectControlGroups=yes +ProtectClock=yes +ProtectHostname=yes +PrivateTmp=yes +PrivateDevices=yes +PrivateUsers=yes +IPAddressDeny=any +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +LockPersonality=yes +CapabilityBoundingSet= +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources +SystemCallErrorNumber=EPERM +SystemCallArchitectures=native +NoNewPrivileges=yes +KeyringMode=private +UMask=0177 RuntimeDirectory=yubikey-agent [Install] |